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In recent work, Kobayashi observed that the acceptance by an alternating tree automaton ,2/ of an 
infinite tree generated by a higher-order recursion scheme ^ may be formulated as the typability 
of the recursion scheme in an appropriate intersection type system associated to the automaton ^. 
The purpose of this article is to establish a clean connection between this line of work and Bucciarelli 
and Ehrhard’s indexed linear logic. This is achieved in two steps. First, we recast Kobayashi’s result 
in an equivalent infinitary intersection type system where intersection is not idempotent anymore. 
Then, we show that the resulting type system is a fragment of an inhnitary version of Bucciarelli 
and Ehrhard’s indexed linear logic. While this work is very preliminary and does not integrate key 
ingredients of higher-order model-checking like priorities, it reveals an interesting and promising 
connection between higher-order model checking and linear logic. 


1 Introduction 

Model-checking is a well-established technique in formal verification, based on the following model- 
theoretic procedure. In order to decide whether a given program P satisfies a property (p of interest, one 
interprets the program P into an appropriate model and translates the property cp into an equivalent au¬ 
tomaton The fact that the program P satisfies the property (p is then reduced to the existence of a suc¬ 
cessful run of the automaton £/ over the interpretation of the program P in the model, which is decidable. 
In the specific case of higher-order model checking, a higher-order program P is modelled as a higher- 
order recursion scheme (HORS) which generates the tree of all its possible behaviours. Recall that given 
a signature £ and a set of variables Y, a higher-order recursion scheme ^ consists of 

a set of simply-typed non-terminals jP, of an axiom S G JV of type o, and of a set of equations (or 
rewriting rules) of the form 


F = Xxi ■ ■ ■ Xx„. t (denoted M{F)) 

where f is a term of base type o and F G JF has simple type ai —)■••• —t- a„ o. One requires moreover 
that there is exactly one such equation per non-terminal, and that the simple types of F and of S^{F) 
coincide. Every such recursion scheme ^ may be thus seen as a term of the simply typed A-calculus 
with fixpoint operator Y. By definition, the order of a recursion scheme is the maximal order of its non¬ 
terminal’s simple type. An example of an order-2 scheme over the signature r = {a:2,fj:l,c:0}is 


F = Xx.ax {F {b x)) 

The labelled and ranked tree generated by the recursion scheme is called the value tree of the scheme. 
It is computed by application of these rules starting from the axiom. In our illustration, the value tree of 
the recursion scheme ([T]) depicted in Figure[T]is obtained as the limit of the rewriting sequence : 

S —)• Fc —)• a c [F {b c)) —)> a c {a {b c) F {b b c)) —>■ 
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Figure 2: An alternating run-tree. 

Figure 1: An order-2 tree. 


The deeidability of monadic second order logic (MSO) over the value trees computed by higher-order 
recursion schemes was established for the first time by Ong lITOl using game semantics. Other proofs of 
the same decidability result were then elaborated, either based on collapsible pushdown automata [ V ], on 
an intersection type system ['5] or on Krivine machines |[T2]| . All these proofs are based on the reduction 
of the decidability of MSO to the decidability of the modal /i-calculus, which is in turn equivalent to 
the existence of a winning run-tree of an alternating parity automaton ^ on the value tree of the higher- 
order recursion scheme f#. Recall that an alternating tree automaton proceeds in the same way as a usual 
top-down tree automaton, but with an additional ability: at each step of its exploration, the automaton 
can decide to explore a given subtree of the current node several times, or not at all. Since each of 
these explorations may be seen as occurring on a different copy of the same subtree, everything thus 
works as if the alternating automaton duplicates the subtree the number of times it explores it. By way 
of illustration, keeping the same signature 1L = {a -.2, b \ l,c:0} as before, a typical transition will 
duplicate the rightmost child of a node labelled a G £ and explore the first copy with state qo and the 
second copy with state q 2 '. 

5{qo,a) = (l,<7i) A(2,<7 o) A(2,<72) (2) 

In particular, when applied to the value-tree of the recursion scheme in Figure[TJ the transition induces 
a run-tree whose upper nodes are depicted in Figure]^ The starting point of this work is the observation 
of an apparent similarity between this ability of alternating automata to duplicate a tree in order to explore 
it several times and the duplication mechanisms associated to the exponential modality of linear logic. In 
order to clarify this tentative connection between linear logic and higher-order model checking, we start 
from the type-theoretic account of alternating parity automata by Kobayashi and Ong Q. For simplicity, 
we prefer to restrict ourselves to Kobayashi’s work ||8l and do not consider priorities (or parity conditions) 
at this stage. By doing so, we restrict the expressivity of the logic to safety properties. A treatment of 
priorities would be possible however, along the lines of our recent observation [!6l that priorities behave 
in just the same comonadic way as the exponential modality of linear logic. 

Plan of the paper 

We start by recalling in ^the intersection type system originally considered by Kobayashi ||8l. The 
first contribution of the paper is to establish in ^ a correspondence theorem between this type system 
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and a quantitative variant of Kobayashi’s type system where intersection is not idempotent anymore. 
This preliminary steps leads us to establish in ^that the quantitative intersection type system is a full 
fragment of an infinitary version of Bucciarelli and Ehrhard’s indexed linear logic lHHH. 


2 Intersection types and alternating tree automata 

The type-theoretic account of higher-order model-checking initiated by Kobayashi O is based on the 
idea that a transition like Q may be reflected by giving to the symbol a G £, in addition to its simple 
type o —)• o — o, the refined intersection type qi —)• (^o A ^2) —^ ^o- In this approach, every such symbol 
a G r of the signature will generally have several such refined types, each of them derived from the 
transitions 5 {q,a) associated to each state q £ Q of the underlying alternating automaton £/. Note that 
the existence of an accepting alternating run-tree over the value tree of a recursion scheme involves 
infinite objects, whose structure can be very complex — observe in particular that the order-2 tree of 
Figure [T] is not regular. In that respect, the type-theoretic account of the tree automaton ^ has one main 
benefit: the refined types defined on the symbols a,b,c of the signature £ may be lifted to every simply- 
typed A-term appearing in the recursion scheme By way of illustration, consider again the recursion 
scheme Q and assume that the alternating automaton sz/ has the additional transitions 

S{qo,b) = (1,<?2) S{q2,b) = {l,qo) A{l,qi). 

In this situation, the symbol b of simple type o —)■ o is given the refined types <72 —>• ^0 and (^0 A^i) —)• <72 
and one can thus type the term ^{F) in the following way: 

Xx.ax{F{bx)) : (^0 A^i A<72) —)• <70 

under the assumption that the non-terminal F of simple type o —)• o has the refined types <70 —)• <70 and 
q2 ^ qi- From this lifting property, Kobayashi lUl deduces a decision procedure for the existence of a 
run-tree of the alternating automaton jz/ over the value-tree of the recursion scheme 5 ^. Here, we consider 
the intersection type system of [^i] as it is recently rephrased by Ong and Tsukada fTTl . We thus define 
refined pre-types as follows: 

Refined pre-types a,Z ::= q \ T^O \ Tj 

Note that in this system refined types have to match the shape of simple types. To ensure this, denoting 
a a refined type and K a simple type[^ we introduce the proper refinement relation a : : K, defined by the 
following rules: 

_ h Xj :: K (for all j £ J) ha:: k' 

\- q :: o - -—;— 7 —---- t~~ -- 

^ AjeJ^j ^ 

A refined type is a refined pre-type which properly refines a simple type. A sequent is of the form 

xi : Ti :: tCi, ... , :: tq, h M : a :: K- 


where the context 


r — Xl . X\ .. Ki , . .. , Xfi ■ Xn ■ ■ 


is a sequence of different variables, each of them typed by a refined type and by the simple type it refines. 
The rules of the system are given in Figure]^ 

Tn Kobayashi’s original article H. simple types were called kinds, and the word "type" was reserved to what we call here 
refined types. 
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Application 


Axiom 


h Tj K (for all j G J) 


i ^ J 


r\-M: 


o :: K 


K 


r h A : T;:: (for all j G J) 


rhMA: a :: tf' 

r h Xx.M : (A;6/ a) O' :: k- —> tc' 
Figure 3: Kobayashi’s intersection type system. 


Lambda 


The decidability result requires that the set of refinement types a which refine a given simple fype fc 
remains finife. To fhaf purpose, infersecfion is required fo be idempotent in Kobayashi’s fype system. 
This idempofency properly may be neally formulated by requiring fhaf intersections are sfable under 
surjective reindexing f : J —H- / in fhe sense fhaf 

A^/(,/) = 

;67 iei 

for every family {a,- 1 / G /} of refinemenl fypes indexed by a finife sel /. Nofe in parlicular fhaf fhe 
expecfed equation 

a Aa = a 

follows from fhe consideration of fhe surjective reindexing {1,2} —)• {1}. Af fhis sfage, we make fhe 
following observation: 

Lemma 1. IfT \- t \ o y. K in Kobayashi’s system and t ri-expands to t', then L h t' : a :: K. 

In ofher words, lypabilify is preserved by T]-expansion in Kobayashi’s fype sysfem. For fhaf reason, 
we will only consider jSq-long normal form A-terms in fhe sequel. 

3 A quantitative variant of the original type system 

Seen from fhe poinl of view of linear logic, Kobayashi’s fype sysfem appears as a varianl of nalural 
deduclion based on an additive Iranslalion of inluilionisfic logic. In order fo prepare fhe forlhcoming 
conneclion wilh indexed linear logic, we fum if info a sequenl calculus based fhis lime on a mulfiplicafive 
franslafion of inluilionisfic logic. This leads us fo fhe sysfem of Figure where fhe finite infersecfions 
are no longer required fo be sfable under surjective reindexing. Nofe fhaf we do nol even require any 
associafivily or commulafivify condifion on fhe infersecfion: in particular, fhe infersecfions are nof even 
sfable under bijective reindexing. 

We say fhaf a variable x occurs linearly in a conlexl F when fhe variable x has refined fype q or 
Ais/ > <7 in the conlexl F. In ofher words, fhe variable x is declared linear when fhe principal connec¬ 
tive of ils fype is nol an infersecfion. We say fhaf fhe variable x occurs linearly in a A-term t when fhere 
exisls a unique occurence of fhe variable x in t. 

Lemma 2. IfF t : o :: K andx occurs linearly in F, then x occurs linearly in t. 

An imporfanf consequence of fhe lemma is fhaf fhe variable x occurs linearly in fhe A-term M con¬ 
sidered in fhe Leff —)• rule. From fhis follows fhaf fhe Leff —)• rule which Iransforms M info fhe A- 
lerm M[x := f N] inlroduces exaclly one application node / A in fhe A-ferm M. 
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Left 


Axiom 


q&Q 


Left /\ 


X : q :: o \- X : q :: o 
r,x : r :: k\- M : a :: k' 
r,x:]\j^^i}Zj::KhM :a ::k' 

rj \- M : Tj :: K (for all j G J) 


i G N, T, = T 


Li h A : Kjej'^i •• ^ ^ 2 ,x : a :: k' \- M : a :: k” 

ri,r 2 ,/: (A;6/'^y) ^ ::K^K'hM[x := f N] : a :: fc" 

T,x-. ^j^JZj::KPM:o■.:K' 


Right - 
Weakening 


TPXxM: {Aj^jZj) 
rPM:o::K' 


o :: K 


Contraction 


r,x : AyeeTy :: fc h M : a :: tc' 

r, y : Aiei^i ■:tc,z: Ajej A " h M : a :: 
Ta : Ak^mj^k" KPM\y,z:=x]:o:: k' 

Figure 4: The quantitative intersection type system. 


K' 

{xiT) 


a linear 


(x^L) 


Both intersection type systems formulated in Figure]^ and in Figure]^ are designed to simulate an 
alternating automaton £/ exploring the value-tree of a higher-order recursion scheme £/. One main 
difference comes from the fact that in Kobayashi’s system the multiplicity of usage of a given state 
is not tracked, so that a function using its argument twice with refined type in order to answer a 
request qi may actually be typed qo f\q 2 ^ q\- This is impossible in the quantitative system, where 
the Weakening rule only introduces an intersection indexed by the empty family. In order to formalize a 
precise connection between the type systems, we thus need an appropriate notion of order over qualitative 
refined types (that is, the idempotent refined types of Kobayashi’s system). This notion of order is 
precisely the one of the Scott lattice model of linear logic, see for instance |[T5l |5l : 

• If a :: o and t :: o, then a ^ T if and only if a = T. 

• Define Aiei ^ ^ AjeJ ^'j types refine a same simple type K —)• k', 

T ^ t' and V/ G / By G / aj a,-. 

Given a quantitative type a, define its collapse |a| as the qualitative type canonically obtained by as¬ 
suming stability by surjective reindexing. This operation is extended to contexts in the standard way. 
We may now give a precise description of the connection between the two type systems. We will see 
in the next section that the quantitative type system is in fact designed to reflect the relational semantics 
of linear logic, this correspondence theorem may be seen as a type-theoretic transcription of Ehrhard’s 
recent collapse theorem |'5i| between the relational semantics of linear logic and its Scott lattice model. 

Theorem 1. Every derivation tree of one system may be effectively translated in the other either by lifting 
qualitative types or by collapsing quantitative types: 

• If T\- t \ o K in the quantitative system, then |r| h ? : |a| :: K in Kobayashi’s system. 

• If XI : Oi :: fCi,... ,Xn ■ On Kn\- t : z \ K in Kobayashi’s system, there exists quantitative types 
Oi(\ <i<n) and Z such that 
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- V/ G {1,... 

- V/ G 

- xi : Oi :: Ki,. 


di :: Kj and f :: K, 

Id;! a, and |f| ^ t, 

. ,Xn : On ■■ Kn\- t \ z \ K in the quantitative system. 


4 A linear interpretation of intersection types 

In this section, we give an alternative formulation of the fragment of Bucciarelli and Ehrhard’s indexed 
linear logic necessary to interpret general continuations, and thus higher-order recursion schemes. The 
restriction of Bucciarelli and Ehrhard’s indexed linear logic l[T]|3 to this specific fragment enables us to 
annotate every proof of the logic with a simply-typed A-term. This leads us to a formulation of indexed 
linear logic in the style of de Carvalho O’]. We then explain how to translate Kobayashi’s type system 
into the resulting fragment of indexed linear logic. 


4.1 Indexed Linear Calculus 


Every formula of indexed linear logic is indexed by a countable indexing set J. As already mentioned, 
we will focus on the fragment of the logic corresponding to general continuations, whose formulas are 
generated by the following grammar: 

Linear pre-formulas A,B ::= Lj \ 5—oA 

Replicable pre-formulas S,T ::= !j,A 

where J is any countable set, and where u : J ^ K is any function between the two countable indexing 
sets J and K. Every linear or replicable formula of indexed linear logic is defined as a pre-formula 
obtained by a series of application of the rules below. 

- \-j S \-j A \-j A 


Hy Ty 


u-.J^K 


hy 5 ^ A Lk \uA 

Quite obviously, there exists for every linear formula A a unique countable indexing set J such that \-j A. 
This specific countable set J is called the domain dom{A) of the formula A. Now, suppose given a set 
Q = {q\ ,..., of elements, typically representing the states of an alternating automaton sA. The types 
of the logic are then defined by the following grammar: 

Linear pre-types a,T ::= q \ (p ^ o 

Compound pre-types ip,ip ••= [Oj\j G J] 

where J is any countable set of indices. A type is then defined as a pre-type which refines a specific for¬ 
mula of our fragment of indexed linear logic. The refinement relation is defined by structural induction, 
and may be formulated by the following derivation rules. 


<?y £ Q (for all j G J) 
^jeJ dj ■■ -L/ 




!„A 


hyey Oj :: B 


^jeJ 9j 


luA B 


hjej Oj w A 


u:J^K 


\-keK [oj I u{j) =k] :: !„A 

Eor conciseness, l-,g/ may be abbreviated h/. The idea behind this formulation is that a quantitative 
refinement type Aatga: Ok" k may be seen as an indexed type 


be/r [Oj\u{j)=k] :: !„A 


u : K^i 


where A is a linear formula refining the simple type K. Indexing by u : K 2 would give two such 
intersection types in parallel. The type system of Indexed Einear Calculus (lEC) is described in Eigure 
In the Dereliction rule, the action u* of a bijection u : J ^ K is defined by structural induction: 
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Axiom 


Right 


qj^Q (for all 7 £7) 

X : qj :: ±j \-j x : qj :: ±j 
r,x : <^j v.\uAPjM Oj :: B 
TPjXxM : ::A^B 


Left 


Weakening 


n PjM : ::!„A r2,x : Oj y.BPjN : Ty :: C 

ri,r2,/ : (/);■ ^ ay A ^ B hy N[x ^ fM] : Ty :: C 
r Pj M : Or :: B 


Contraetion 


r,x : 0 ::!o,,A Pj M : Oj :: B 

r,y: (t>j ::!», (A|j,), z : ^y :: (A|j,) b M : ay :: fi 

r, X : 0y W t/Ay :: !„A h/ M[);,z ^ x] : ay :: B 

M*r , X : Oj :: A \-j M : T„(y) :: 


0 , :0 


u = [mi,M 2 ] : 7i +72 ' 


Promotion 


Derelietion w.J^K bijeetive 

r, X : a„-i(^) ::!„A Pk M ■. Xk :: u*B 

■ • • 1 I ik £ ^kj WA:(a) — 7 ] •• ^-ui^Ak , • • • L/ 47 . Zj .. B 

• • •, : [(^4 I 4 G 4, v{uk{ik)) = 1] :: !vo„,Ajt, ... hz. 47 : [Ty | v(y) = 1] :: !v B 

Figure 5: Indexed Linear Caleulus. 


V : 7 


• m*(-Lz:) = +/ 

• u*{S^A) = u*{S)^u*{A) 

• u*{\vA) = !„-iovA 

and in the Contraetion rule, the domain restrietion operation A|jf where A is of formula of domain 7 is 
also defined by struetural induetion: 

• ±j\k ■■= -\-K 

• (5 ^ A) Iz: := S'j/f ^ A|zz 

• ( '■uA)\k = !v where u : 1 ^ J and v : u ^ (K) —> 4f is equal to the funetion u restrieted 

to the subset m^' (K) C I. 

Note that these operations were only defined on formulas. Their aefion on types is fhe expeefed one: 
for fhe domain resfriefion operafion, a eompound type {^j)jej is resfriefed fo (^y)ygjf, and for fhe ofher 
operation, fhe bijeefion nafurally aefs by reindexing over eompound fypes. 

4.2 Interpreting quantitative intersection types in ILC 

Now franslafing fhe quanfifalive inferseefion fypes info indexed fypes is essenfially immediafe: given a 
quanfifafive type a, define fhe eorresponding indexed fype (j a j) induefively as follows : 

• d AiG/ D = [d N i ^ (seen as a {*}-indexed formula) 
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This operation can be inverted for {★}-indexed formulas in the expected way. Given a {*}-indexed type 
a, the corresponding quantitative intersection type is denoted [) CJ (|. 

Lifting simple types to formulas requires to index formulas properly. For example, qi Aq 2 ^ qo 
refines the simple type o ^ o. This lifts to the linear type [< 71 ,^ 2 ] ^ qo refining the formula !„ ±2 ^ J-i 
where u is the unique function {1,2} —)• {1}. Given a formula of indexed linear logic A, we define 
inductively its corresponding simple type K'(A) as follows: 

• k:(!„A) = k{A) 

• k{S^A) = k{S) ^ k(A) 

• = o 

Given a context F = xi : ai :: Ai, ... , x„ : a„ :: A„ of indexed linear calculus, define ifs associafed 
quantitafive intersecfion context (I F11 = xi :: [)ai(| :: k{Ai),...,x„ :: D a„ d :: k{A„). 

Theorem 2. • If the sequent F h/ M : o :: A, where I is a singleton, is provable in the indexed 

linear calculus, then I^TW h M: Da(| :: k{A) is provable in the quantitative intersection system. 

• If the sequent F h M : cJ :: K is provable in the quantitative intersection system, there exists 
a context T' of the indexed linear calculus and a formula A of indexed linear logic such that 
(I F' 11 = F and that T' M : (| CJ D :: A is provable in the indexed linear calculus. 

Recall that indexation is a way to parallelize proofs with the same underlying tree, and only differing 
by their types labelling. This is the reason why the connection only makes sense for indexation families 
isomorphic to {★}. 

Remark now that the indexed linear calculus contains a lot of redundant information. Types may be 
computed from proof-trees, by picking the state information at the right axiom rule, and terms can be 
recovered from the rules of a proof-tree, since indexation ensures uniformity of terms when applying 
them - contrary to what occurs in the resource lambda-calculus. In fact, this indexed linear calculus 
captures precisely the fragment of the relational model corresponding to simply-typed A-terms. Call 
indexed tensorial logic the system obtained by removing terms and types in the indexed linear calculus. 
Then derivation trees of this logic are in bijection with ILC derivation trees. 

5 Related works 

The starting point of this work is the observation by Kobayashi ||3 that MSO model-checking over trees 
generated by higher-order recursion schemes can be performed by typing the scheme in an appropriate 
intersection type system. 

Another inspiration was the recent development by Terui ifTSl of a semantic and type-theoretic ap¬ 
proach based on linear logic, intersection types and automata theory in order to characterize the com¬ 
plexity of evaluation to the booleans in the simply-typed A-calculus - relating on the qualitative model 
of Scott domains for linear logic. A quantitative account of intersection type in the relational model of 
linear logic was given by de Carvalho |U], also with the goal of studying complexity issues. 

After Ong’s seminal proof IfTOl of the decidability of higher-order model-checking, several other were 
given. One of them, by Kobayashi and Ong ['9], extends Kobayashi’s type system to capture all MSO. 
Salvati and Walukiewicz are currently developing a semantic approach to higher-order model checking, 
based on the interpretation of the Krivine environment machine in finite models of the A-calculus with 
fixpoint operators, in order to obtain a semantic proof of this decidability result |[T4l[T3l . 
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Finally, Tsukada and Ong ifTTl introduced two-level game semantics to provide a model of Kobayashi’s 
type system. 


6 Conclusion and future work 

The main purpose and contribution of the paper is to stress the tight and somewhat surprising connection 
between a series of recent advances in linear logic and the current type-theoretic approach to higher- 
order model-checking. In particular, the lucid reader will recognize that all the results stated in the 
present paper are essentially known to one community or to the other. However, besides the useful 
confrontation of two related lines of research, we believe that a tangible technical contribution of the 
paper is a careful proof of Theorem The result is somewhat folklore and appears implicitly in the 
works by Bucciarelli and Ehrhard HlEl and by de Carvalho |]3l but it was never proved (nor even formally 
stated) as far as the authors know. Another point: besides the connection between indexed linear logic 
and higher-order model checking, one main message of the paper conveyed in Theorem [T] is that the 
decidability results obtained in the field of higher-order model checking are to a large part regulated by 
the collapse theorem recently established by Ehrhard l|5l @1 . We hope that the bridge with linear logic 
will clarify the constructions of higher-order model checking and reveal the deep and beautiful semantic 
ideas underlying it. 
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